LDAP-UX Client Services B.04.15 Administrator's Guide
2.5 Configure Your Directory
This section describes how to configure your directory to work with LDAP-UX Client Services.
Examples are given for Netscape Directory Server for HP-UX version 6.x. See the LDAP-UX
Integration B.04.10 Release Notes for information on supported directories. If you have a different
directory, see the documentation for your directory for details on how to configure it.
See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet for
more details on directory configuration.
1. Install the posix schema (RFC 2307) into your directory.
If you have Netscape Directory Server for HP-UX version 4.0, or later, the posix schema is
already installed.
The schema is in the file /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf. For information on the
posix schema (RFC 2307), see http://www.ietf.org/rfc.html. RFC 2307 consists of object classes
such as: posixAccount, posixGroup, shadowAccount, etc. posixAccount represents a user
entry from /etc/passwd. posixGroup represents a group entry from /etc/group. And
shadowAccount provides additional user information for added security.
2. Restrict write access to certain passwd (posixAccount) attributes of the posix schema.
CAUTION: Make sure you restrict access to the attributes listed below. Allowing users to
change them could be a security risk
Grant write access of the uidnumber, gidnumber, homedirectory, and uid attributes only
to directory administrators; disallow write access by all other users. You may want to restrict
write access to other attributes in the passwd (posixAccount) entry as well.
With Directory Server for HP-UX, you can use the Directory Console or ldapmodify to set
up access control instructions (ACI) so ordinary users cannot change these attributes in their
passwd entry in the directory.
The following access control instruction is by default at the top of the directory tree for a 6.x
Netscape directory. This ACI allows a user to change any attribute in their passwd entry:
aci: (targetattr = "*")
(version 3.0; acl "Allow self entry modification"; allow (write)userdn
= "ldap:///self";)
You could modify this example ACI to the following, which prevents ordinary users from
changing their uidnumber, gidnumber, homedirectory, and uid attributes:
aci: (targetattr != "uidnumber
|| gidnumber || homedirectory || uid") (version 3.0; acl "Allow self
entry modification, except for important posix attributes"; allow
(write)userdn = "ldap:///self";)
You may have other attributes you need to protect as well.
To change an ACI with the Directory Console, select the Directory tab, select your directory
suffix in the left-hand panel, then select the Object: Set Access Permissions menu item. In
the dialog box, select the "Allow self entry modification" ACI and click OK. Use the Set
Access Permissions dialog box to modify the ACI. See "Managing Access Control" in the
Netscape Directory Server Administrator's Guide for complete details.
3. Restrict write access to certain group (posixGroup) attributes of the posix schema.
Grant write access of the cn, memberuid, gidnumber, and userPassword attributes only to
directory administrators; disallow write access by all other users.
With Netscape/Red Hat Directory Server for HP-UX, you can use the Directory Console or
ldapmodify to set up access control lists (ACL) so ordinary users cannot change these
attributes in the posixGroup entry in the directory. For example, the following ACI, placed
2.5 Configure Your Directory 27